Hi. Love your tool! I have added it to my collection of other similar tools.

There are many tools that can coerce SMB authentication from machine accounts such as domain controllers. There are however, to my knowledge, only one that can coerse HTTP authentication from servers. PetitPotam can do this if the command used is "[NetBIOS name of Responder or first part of a DNS record]@80/[random file name] [DC IP to force HTTP authentication from]" and Responder is running broadcasting it's NetBIOS name. In the case of PetitPotam however, the role WebDav must be installed on a DC and it's service must be running. Often low priv. credentials are needed but not in all cases. If all requirements are in place you can perform a relay attack against LDAPS running on a DC using Impacket, thereby adding a domain administrator account which you can then DCSync with.

My questions for you are the following:

• Is it possible to coerce HTTP authentication using the method you use in your tool? If so, would you be willing to implement that?
• Assuming it is possible, can HTTP authentication be coerced without the need for WebDav?

Thanks!

Hi,

Any tool that can coerce authentication (Petitpotam,Printerbug,ShadowCoerce) can force HTTP authentication if server have WebClient service running. Same goes with this tool ( didnt really test it but no reason it should not work). WebClient service on DC is not that common but i have seen it few times on 2012 DC.

OK. I did not know that all tools should be able to do this. Great to hear.

I tested this using your tool and I get lookups for the NetBIOS name of Responder but I do not get the HTTP authentication. Of course I am not sure of the syntax I need to use so I used the same as I use for PetitPotam. You can also see that the Webclient service is running on the target and that the SMB server in Responder is disabled. Any ideas?

Will investigate this later today.